The September 2022 EU & UK Policy Update
New EU regime exposes developers to consumer lawsuits
The European Commission has proposed updated rules for product liability, including standalone software and AI. One proposal is updating the Product Liability Directive, a strict liability regime for manufacturers for defective products. A second proposal is complementing the AI Act and sets out a specific framework allowing compensation for damages related to AI systems.
The revised Product Liability Directive expands its scope to software and digital manufacturing files. The notion of compensable damage includes recognized psychological harm and the loss or corruption of data. The new regime will allow people to claim compensation for harms related to software updates, upgrades and digital services (e.g. IoT products become unsafe through software updates and failure to address cybersecurity vulnerabilities). Under the rules, software will be presumed defective (and developers liable) in complex claims (e.g. cases involving pharmaceuticals or AI) and manufacturers (including software developers) will be required to disclose evidence. The revision removes the existing lower and upper thresholds for full compensation.
The AI Liability Directive (Directive on adapting non contractual civil liability rules to artificial intelligence) is intended to harmonize the fault-based liability regimes of the Member States. This should serve as an alternative legal basis for claimants that are seeking compensation for AI-related harms not covered by the Liability Directive (e.g. infringements of fundamental rights) or claims against users of AI products rather than against the manufacturer. The stated objective is that “any type of victim (either individuals or businesses) can have a fair chance of compensation if they are harmed by the fault or omission of a provider, developer or user of AI”.
The directive alleviates claimants’ burden of proof in order to “overcome the difficulties they might otherwise face because of the opacity of the AI system involved”, by setting:
- a rebuttable presumption of causality (if a fault has been established and a causal link to the AI system is reasonably likely, the court can presume that this non-compliance caused the damage. On the other hand, the liable person can rebut such presumption, for example, by proving that a different cause provoked the damage.)
- access relevant evidence (claimants will be able to ask the court to order disclosure of information about high-risk AI systems from companies and suppliers, to identify the person that could be held liable and to find out what went wrong). The disclosure will be subject to safeguards to protect sensitive information, such as trade secrets.
The Commission intends to assess after 5 years whether there is a need for no-fault liability provisions for AI-related claims.
The proposals are now entering the legislative process in order to be adopted by the European Parliament and the governments of the Member States (the Council of the EU).
Contact us at firstname.lastname@example.org and add your voice in support of our outreach against this proposal.
EU set to adopt baseline cybersecurity requirements and mandate CE marks for software
The European Commission has proposed the Cyberresilience Act, a set of horizontal cybersecurity requirements for a wide range of digital products, for the whole lifecycle.
The products in the scope are “products with digital elements”, defined as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.” Products that have already been placed on the EU market are excluded, unless there have been “substantial modifications in their design or intended purpose.” Also excluded are cloud computing services such as Software-as-a-Service (SaaS) which fall in the scope of NIS2 Directive, products already regulated under sectoral legislation (medical devices, in vitro diagnostic medical devices, civil aviation, motor vehicles), and products developed exclusively for national security or military purposes. Free and open-source software is excluded only if it’s developed or supplied outside the course of a commercial activity. However, the proposal specifies that “ the manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements. They shall ensure that such components do not compromise the security of the product with digital elements”.
The regulation sets in its annexes essential requirements for all products in scope, and stricter rules for so-called “critical products with digital elements”, divided in two groups. First class includes ID-management systems, VPNs, browsers, various network systems, mobile device
management software, and update/patch management. Second class refers to operating systems for servers, desktops, and mobile devices, smartcards, smartcard readers and tokens, microprocessors, and IoT devices intended for the use by essential entities under the NIS2 Directive (in critical digital infrastructures and in sectors like energy, transport, banking, health, public administration, etc.)
The main obligations for manufactures and developers are:
- mandatory security assessment requirements in relation to the design, development and production of the products, reflected in extensive technical documentation
- mandatory EU declaration of conformity and affixing the CE marking, attesting that the product comply with the essential requirements
- continuous documented monitoring of vulnerabilities, for the expected product lifetime or for a period of five years from the placing of the product on the market
- adequately information and instructions to users
- reporting of any actively exploited vulnerability and any active incident to the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of it.
Adoption of available standards can ensure the presumption of conformity. Also, conformity assessments can be performed by specialized third-party bodies (“notified bodies”).
The proposed penalties for non-compliance are severe, the administrative fines ranging from up to €5 million to €15 million, or up to 1% of global revenue to 2.5% of its global revenue, whichever is higher. The enforcement will be ensured by market surveillance authorities.
Both the European Parliament and the Council of the EU will have to agree on the proposal. Stakeholders are invited to provide their feedback in a consultation open until November 25th.
Contact us at email@example.com and add your voice in support of our outreach to refine this proposal.
Competition in Digital Markets
The General Court has issued its decision in the Google Android case (Case T-604/18 Google and Alphabet v Commission), largely confirming the Commission’s decision that Google imposed unlawful restrictions on manufacturers of Android mobile devices and mobile network operators in order to consolidate the dominant position of its search engine.
Developers Alliance, as intervener in this case, expressed its disappointment with the judgment. The Court made a narrow assessment of the role of competition between iOS and Android ecosystems and ignored the critical importance of anti-fragmentation measures taken by Google to ensure the stability and success of the Android ecosystem, to the benefit of millions of developers. The decision could be appealed.
The UK Competition and Market Authority (CMA) has decided to pursue an in-depth investigation of the acquisition by Microsoft Corporation of Activision Blizzard. The CMA is concerned that, “on the information currently available to it, it is or may be the case that this merger may be expected to result in a substantial lessening of competition within a market or markets in the United Kingdom”. The outcome of the investigation is expected to be announced in March 2023.
The UK communications regulator Ofcom has launched a market study into the cloud services market, to identify possible competition concerns. It will examine the position on the market of the largest providers of cloud services (‘hyperscalers)’, Amazon Web Services (AWS), Microsoft and Google, and “any market features that might limit innovation and growth in this sector by making it difficult for other companies to enter the market and expand their share”.
Ofcom has also announced the intention to examine the messenger and smart-device market next year. The study will assess “how services such as WhatsApp, FaceTime and Zoom are affecting the role of traditional calling and messaging” and “the nature and intensity of competition among digital personal assistants and audiovisual ‘gateways’ – such as connected televisions and smart speakers”.
The final reports are to be expected within 12 months from the launch of the studies, the interim findings being subject to a public consultation.
The Irish Data Protection Commission has fined Instagram €405 million and ordered a range of corrective measures, in relation to the processing of personal data of child users. The main concerns were public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.
The Danish Data Protection Authority has issued its final decision on the use of Google Analytics. As the web analytics tool is considered a potential way to transfer data in the US, the users should implement supplementary measures. The Danish DPA suggests a technical measure already proposed by the French DPA, pseudonymization by means of a reverse proxy. The Danish DPA emphasizes that without supplementary measures, the users should “stop using the tool and, if necessary, find another tool that can provide web analytics and allows for compliance with data protection law, for example by not transferring personal data about visitors to “unsafe” third countries”.
A call for VR/AR developers to seize the opportunity to present their great products or projects and to engage in a debate on the opportunities and challenges for building the metaverse. Brussels is waiting for you! Application deadline: October 20th.
Linux Foundation Europe has been launched, with the mission “to accelerate the growth of thriving open collaborative efforts focused on challenges and opportunities of all European constituencies, from individuals to public and private sectors, while providing an on-ramp for European projects and companies to succeed and collaborate on a global scale”.
The European Cybersecurity Authority (ENISA) has published the European Cybersecurity Skills Framework, an “open European tool to build a common understanding of the cybersecurity professional role profiles and common mappings with the appropriate skills and competences required”. The framework lists 12 typical cybersecurity professional role profiles along with their identified titles, missions, tasks, skills, knowledge, competences and is accompanied by a practical guide with examples and use cases. The manual includes three examples for private organizations that need to hire, upskill and/or reskill their personnel in cybersecurity, along with relevant use cases.